^* By Donald C. Dowling, Jr., J.D.    Mr. Dowling, of Hewitt Associates LLC (Lincolnshire, Illinois), is Hewitt’s global employment law consultant in its Legal Consulting Practice. He serves on the Editorial Board of Alternate Dispute Resolution in Employment, he taught European Union Law at the University of Cincinnati College of Law, and he is a member of the Council of the American Bar Association’s Section of International Law & Practice. He is past chair of the ABA International Employment Law Committee and the Cincinnati Bar Association International Law Committee.

¹ How different cultures’ legal systems allow for the resolution of employment disputes reveals a lot about each culture and legal system. Generally, U.S. employment law allows for conciliation with a government agency, with, ultimately, a right to sue in court, including for enhanced damages. European employment laws focus more on administrative remedies, and on dispute resolution through employee representatives; when a European employment law gives a right to sue, it is most often in a special-jurisdiction labor court, with damages capped. A fascinating penalty for violating an employment law appears in the new Japanese Equal Opportunity Law, which came into effect on 1 April 1999, and which – for the first time ever in Japan—broadly prohibits sex discrimination. Japan’s new law contains broad mediation procedures, but an employer which places sexist help-wanted advertisements gets "punished by having [the company’s] nam[e] officially released." "Revised Equal Employment Opportunity Law Came into Effect April 1," Japan Labor Law Bulletin (June 1, 1999), at 2. See also generally note 45, infra, and accompanying text.

² Undated, unsolicited mailing received in Illinois in Fall, 1998 from On-Line Investigations, Inc., "P.I. License #117-00749."

³ "Drivers Angered over Firm’s Purchase of Photos," Washington Post, Jan. 28, 1999 (available in Washington Post on-line database).

⁴ Id.

⁵ For a brief summary of the EU’s political structure by this author, see Donald C. Dowling, Jr., "Worker Rights in the Post-1992 European Communities: What ‘Social Europe’ Means to U.S.-Based Multinational Employers," 11 Northwestern J. of Int’l Law & Business 564, 574-77 (1991); see also generally Donald C. Dowling, Jr., EC Employment Law After Maastricht: ‘Continental Social Europe’?," 27 The Int’l Lawyer 1 (1993); Donald C. Dowling, Jr., "From the Social Charter to the Social Action Program 1995-1997: European Union Employment Law Comes Alive, 29 Cornell Int’l Law J. 43 (1996).

⁶ On "direct effect" and "direct applicability" generally (and the distinction between them), see generally Lucie A. Carswell & Xavier de Sarrau, Law & Business in the European Single Market (1993) [hereinafter Carswell & de Sarrau] at §3.04[4][b]; 3.04[e] ("The Court of Justice has developed the principle that provisions of a directive may require direct effect on the expiration of the period prescribed for implementation, provided the directive fulfills the other criteria for direct effect . . . .").

⁷ For examples of the member states’ reluctance to transpose certain directives on time, see, e.g., G. Bermann, R. Goebel, W. Davey & E. Fox, Cases and Materials on European Community Law 182-92 (1993).

⁸ On the supremacy of EU law and private rights of action, see generally Carswell & de Sarrau, supra note 6, at §3.02[3].

⁹ Greece Law No. 2472 of 9 April 1997; Denmark Law No. 400 of 26 June 1998; Spain Royal Decree No. 156/96 of Feb. 2, 1996; U.K. Data Protection Act (July 16, 1998) (the U.K. law did not come into force until 1999). Data protection laws pre-dating the directive existed, at least, in France, Germany, and Ireland. An examination of the terms of member state law is beyond the scope of this Article. As to researching member state law, see citation infra, note 13.

¹⁰ "Struggle Continues with EU Personal Data Protection Directive," Euro-Watch, Jan. 15, 1999, at 1. The lesson for U.S.-based employers of Europeans is that while the data privacy directive sets out a blueprint for designing a single EU-wide data processing system, operations in specific EU member states need to adhere to that state’s implementing law on data privacy. Indeed, the member state ministers responsible for data privacy concerns have shown substantial independence from Brussels—notably on their refusal to allow the EU to negotiate a "safe harbor" on their behalf with the U.S. See infra notes 33-43 and accompanying text. As a starting point in researching individual data privacy laws in the member states (and, indeed, in non-EU countries as well), a web-site exists which summarizes these laws: Privacy Exchange.org (available through www.pandab.org).

¹¹ OECD Council, Sept. 23, 1980. For more recent OECD pronouncements, see Draft Ministerial Declaration on the Protection of Privacy on Global Networks, Aug. 17, 1998; Proceedings of Privacy Protection in a Global Networked Society: An OECD International Workshop with the Support of the Business and Industry Advisory Committee, OECD, Paris, Feb. 16–17, 1998.

¹² Convention 108 of 28 January 1981.

¹³ See summaries of national laws on-line at Privacy Exchange.org. (available through www.pandab.org).

¹⁴ EU Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data] [hereinafter "Data Privacy Directive"]. As to how U.S.-based companies had not focused on the directive before 1998, see, e.g., "EU Privacy Paridigm May Lock U.S. Firms Out," U.S.A. Today, Oct. 21, 1998, at 6D; "Data Privacy is an Issue as EU Law Takes Effect, Wall St. J., Oct. 21, 1998 (on-line); "European Law Aims to Protect Privacy of Data," New York Times, Oct. 26, 1998 (on-line).

¹⁵ See discussion infra accompanying notes 33–44. See generally "EU Privacy Paradigm May Lock U.S. Firms Out," USA Today, Oct. 21, 1988, at 6D.

¹⁶ Data Privacy Directive, supra note 14, at art. 1.

¹⁷Id. at art. 2.

¹⁸ Id.

¹⁹ Id. at art. 6. Anyone familiar with the human resources record-keeping of U.S.-based multinational companies will tell you that few if any U.S.-based companies already are respecting these five data quality principles in their U.S. employment operations. U.S. employee record systems often collect information for no specific reason, few U.S. personnel data systems purge data no longer needed, and procedures for giving "data subjects" access to data and power to correct it are rare.

²⁰ Id. at art. 6.

²¹ Id. at art. 8.1.

²² Id. at arts. 14–15.

²³ Id.

²⁴ Id. at art. 11.

²⁵ Id. at art. 17.1.

²⁶ Id. at art. 7.

²⁷ Id. at arts. 8.5 (criminal convictions) and 8.1 (sensitive data).

²⁸ Id. at art. 12.

²⁹ Id. at arts. 17.2–17.3.

³⁰ Id. These dispute resolution provisions are discussed more fully infra, in the final section of this article.

³¹ Cuban Liberty and Democratic Solidarity (LIBERTAD) Act, Pub.L.No. 104-114, 104^th Cong. (1996), signed into law Mar. 1, 1996.

³² Codified as 29 U.S.C. sec. 623(h), 630(f) (ADEA abroad); 42 U.S.C. sec. 2000 e-1(a), (c), 2000 e-5(f)(3) (Title VII abroad); 42 U.S.C. sec. 12111(4), 12112(c) (ADA abroad).

³³Id. at arts. 18, 20, 28.

³⁴ To Europeans, the overseas reach of the data privacy law is not philosophically inappropriate; the U.S., Europeans say, is too lax in protecting its own citizens’ privacy. This deficiency, Europeans argue, cannot allow U.S.-based multinational employers to invade the privacy of European workers—such as by selling European names to telemarketers. As to enforcement: The data privacy law does not envision chasing violations down on foreign soil. Rather, the prohibition is against sending information off of European soil—so violators will be entities already doing business in Europe. In the context of a U.S.-based multinational employer processing personnel information stateside, there will already be a European-licensed entity employing the Europeans; when that entity sends data to the U.S. parent, that entity—and likely not the U.S. parent—will violate the European data law. Enforcement will be against the local entity, so there is no sovereignty issue.

³⁵ Data Privacy Directive, supra note 14, at arts. 22–23 (emphasis added).

³⁶ For a citation to summaries of these countries’ national data privacy laws, see supra note 13.

³⁷ For more on articles 25 and 26, see Working Party on the Protection of Individuals with Regard to the Processing of Personal Data (EU Commission DG XV), Working Document; Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive, DG XV D/5025/98 WP 12 (July 24, 1998). See generally P&AB (self-titled newsletter), and P&AB, Feb.–Mar. 1999, at 17 ("Where Does U.S./EU Accommodation Lie?").

³⁸ See "Data Protection and Privacy: Comments to the European-American Business Council," Speech by John F. Mogg, Director-General, DG XV, March 18, 1998 (available on-line at eurunion.org/news/speeches/980318jm.htm); "Status of U.S./EU Discussion of the Data Protection Directive," speech by Hugo Paeman, EU Ambassador to the U.S., September 28, 1998 [hereinafter "Paeman Speech"].

³⁹ Peter P. Swire & Robert E. Litan, None of Your Business: World Data Flows, Electronic Commerce, and the European Data Privacy Directive (1998) (Brookings Institution Press).

⁴⁰ A flaw in the reasoning here is that even if the European data privacy community unanimously agreed to adopt a set of safe harbor principles, transmitting data outside Europe to a corporation which agreed to live by these principles would not seem to comply with the directive’s requirement that personal data can go from Europe only to a "third country" which offers "adequate protections." See Data Privacy Directive, supra note 14, at art. 25.1 (emphasis added). This problem, however, was apparently swept aside as the EU and U.S. focused on the safe harbor as the most viable approach to trans-Atlantic data privacy.

⁴¹ Paeman Speech, supra note 38.

⁴² Privacy & American Business [hereinafter P&AB], an activity of the non-profit Center for Social & Legal Research; Two University Plaza, suite 414; Hackensack, N.J. 07601; phone (201)996-1154; fax (201)996-1883; e-mail ctrslr@aol.com. P&AB sponsors programs on the human resources effect of the EU data privacy directive, including the January 1999 Teaneck, N.J. program called "HR Data and the European Privacy Directive: Meeting the Challenge in Global Organizations," and the October 1999 San Francisco program called "HR Data Protection in the Global Arena: Meeting the New Corporate Privacy Challenges. "

⁴³ Speech by Sir John Richardson, Minister & Deputy Head of the Delegation of the European Commission to the United States, Aug. 9, 1999; speech by Barbara Wellbery, Counselor for Electronic Commerce to the Under Secretary for International Trade, U.S. Department of Commerce, Aug. 9, 1999. Both speeches were part of "Privacy and Security Issues in International Electronic Commerce—The U.S. and Europe Address Data Privacy" Presidential Showcase Program, American Bar Association Section of International Law & Practice, 1999 Annual Meeting, Atlanta, Ga.

⁴⁴ The discussion that follows of course does not supplant the text of the data privacy directive itself. For the original language, see Data Privacy Directive, supra note 14, at arts. 10, 12, 14, 22, 23, and 24.

⁴⁵ Council Directive 91/533 on an Employer’s Obligation to Inform Employees of the Conditions Applicable to the Contract or Employment Relationship, 1991 O.J. (L 288) 32. See also generally note 1, supra.